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Summary 

This paper presents a strategy for dynamically monitoring digital controllers in the laboratory 
for susceptibility to electromagnetic disturbances that compromise control integrity. The integrity 
of digital control systems operating in harsh electromagnetic environments can be compromised by 
upsets caused by induced transient electrical signals. Digital system upset is a functional error 
mode that involves no component damage, can occur simultaneously in all channels of a redundant 
control computer, and is software dependent. The motivation for this work is the need to develop 
tools and techniques that can be used in the laboratory to validate and/or certify critical aircraft 
controllers operating in electromagnetically adverse environments that result from lightning, high- 
intensity radiated fields (HIRF), and nuclear electromagnetic pulses (NEMP). 

The detection strategy presented in this paper provides dynamic monitoring of a given control 
computer for degraded functional integrity resulting from redundancy management errors, control 
calculation errors, and control correctness/effcctiveness errors. In particular, this paper discusses 
the use of Kalman filtering, data fusion, and statistical decision theory in monitoring a given digital 
controller for control calculation errors. The control laws calculated in the digital controller arc 
modeled as linear (or linearized) recursive state equations. This model is used in the design of Kalman 
filters that estimate the correct control calculations. These estimates of the correct calculations are 
compared with the calculations obtained by the control computer. Residuals are generated and 
used in probabilistic decision rules to determine if the calculations performed by the control unit 
are faulty. A decision is made for the command calculation of each control loop, and these local 
decisions are optimally weighted and fused into a decision on the integrity of control calculations. A 
simple example is included to illustrate the concept. 

Introduction 

Future advanced aircraft will require systems for stability augmentation as well as guidance and 
control that will be critical to the flight of the aircraft. The trend in avionics technology' is the 
implementation of control laws on digital computers that are interfaced to the sensors and control 
surface actuators of the aircraft. Since these control systems will be flight critical, the problem of 
verifying the integrity of the control computer in adverse, as well as nominal, operating environments 
becomes a key issue in the development and certification of a critical control system. 

An operating environment of particular concern results from the presence of electromagnetic 
fields caused by sources such as lightning, high-intensity radiated fields (HIRF), and nuclear 
electromagnetic pulses (NEMP). Electromagnetic fields may cause analog electrical transients to be 
induced on the aircraft wiring, and these signals can propagate to the onboard electronic equipment 
despite shielding and protective devices such as filters and surge suppressors. Digital computer 
systems have two types of effects that can be caused by transient electrical signals. The first is 
component damage that requires repair or replacement of the equipment. The second effect to a 
digital system is characterized by functional error modes, collectively known as upset , which involve 
no component damage. 

Functional error modes of a fault- tolerant controller that can be termed as upset in the system 
arc characterized by (1) faulty input/output (I/O) processing and command calculations that 
result in off-nominal system behavior or degraded system performance, and (2) faulty redundancy 
management decisions that result in degraded system performance and/or reliability. In the case of 
upset, normal operation can be restored to the system by corrective action such as resetting/ reloading 
the software or by an internal recovery mechanism, such as an automatic rollback to a system state 
prior to the disturbance. The subject of effective and reliable internal upset recovery mechanisms is 
another current topic for research. The usual features of fault-tolerant systems such as redundant 
input and output checking and selection, surge suppression devices and filters, and a redundant 
microprocessor architecture with voting may not be sufficient to ensure correct operation in an 



electromagnetically adverse operating environment. Surge suppression devices and filters are effective 
for large-amplitude, high-frequency transients. However, low-amplitude signals at frequencies near 
the clock speeds of digital circuitry can be generated by electromagnetic fields and propagate to 
electronic equipment onboard an aircraft. In addition, redundancy protects against single-mode 
failures that occur in one channel of the system, but it does not protect against the potential 
common-mode failure (i.e., upset) of all channels in the redundant system as a result of transient 
signals induced by a single electromagnetic disturbance. 

To date, no comprehensive guidelines or criteria exist for detecting upset in fault-tolerant 
digital control computers, designing reliable internal upset recovery mechanisms, performing tests or 
analyses on digital controllers to verify control integrity, or evaluating upset susceptibility /reliability 
in electromagnetically adverse operating environments. In order to assess a digital control computer 
for upset susceptibility, the issue of upset detection must be addressed. Real-time considerations 
for upset detection would reduce post data processing requirements during validation/certification 
testing. Therefore, the objective of this research is to develop an upset detection methodology 
for real-time laboratory implementation. During laboratory tests, a given digital computer-based 
control system will be evaluated for upset susceptibility when subjected to analog transient electrical 
signals like those that would be induced by lightning, HIRF, or NEMP. 

The objective of this paper is to present an upset detection strategy for monitoring a given 
fault-tolerant controller for degraded control integrity resulting from redundancy management 
errors, control law calculation errors, and control correctness/effectiveness errors. Kalman filtering, 
statistical decision theory, and data fusion are used in the detection of redundancy management 
errors and control calculation errors. Analytical redundancy of the control laws provides a reference 
of the correct control command for the given dynamic mode of the plant. This reference command 
and an actuator model are used in the control correct ness/effectiveness decision. In particular, this 
paper focuses on the use of Kalman filtering, data fusion, and decision theory in monitoring a digital 
controller for control law calculation errors. 

An upset test methodology for control computers was discussed in reference 1. However, this 
methodology relies on postprocessing of data collected during each test. Since the detection strategy 
presented in this paper is for eventual real-time implementation, it will eliminate the need to store 
data during tests in which upset does not occur. In addition, the strategy provides an indication 
of where errors occurred for diagnostic purposes so that any desired postprocessing of the data is 
simplified. 

Other works in failure detection methods include the detection of sensor failures in turbofan 
engines (ref. 2) and the detection of failures in aircraft actuators and control surfaces (ref. 3). In 
reference 2, analytical redundancy, Kalman filtering, and decision theory were used to detect sensor 
failures in an F-100 turbofan engine. Out-of-range or large bias errors that occurred instantaneously 
were detected by comparing measured sensor values with those of an analytical model, taking the 
absolute value, and comparing this residual to a threshold. Small bias errors and drift in sensor 
measurements were detected using multiple-hypothesis testing methods in which each hypothesis 
corresponded to a particular sensor failure. Once a sensor failure was detected, the elements of an 
interface switch matrix were changed so that a Kalman filter estimate of the sensor value replaced 
the measurement in the input vector used in the control laws. The methodology of reference 2 was 
demonstrated on a hybrid real-time simulation of the F-100 engine as well as on a full-scale F-100 
engine with good results. However, this methodology was not designed to detect failures in systems 
with physically redundant sensors and computers and, therefore, does not use data fusion methods. 

In reference 3, analytical redundancy and decision theory were used to detect actuator failures 
and control surface failures in aircraft. The design methodology consisted of two failure detection 
and identification (FDI) algorithms or subsystems— one for actuator failures and one for control 
surface failures. In the actuator FDI subsystem, an analytical model was implemented to generate 
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a prediction of the dynamic behavior of the actuators. This prediction was compared with 
measurements taken from the actuators, and a residual was generated and used in a decision 
process. The control surface FDI subsystem was designed in a similar fashion. The methodology 
of reference 3 was demonstrated using a six-degree-of-freedom nonlinear simulation of a modified 
Boeing 737 airplane with good results. This methodology was not designed to detect failures in 
physically redundant systems and did not use data fusion techniques. 

A formulation of the problem considered in this paper follows a list of symbols used in the 
notation. The monitoring strategy is presented in the next section and focuses on the detection 
of control law calculation errors in redundant processors. An example is presented in which the 
calculation error-detection scheme is demonstrated on a hypothetical quad-redundant processing 
system. The final section of this paper contains some remarks on the detection strategy. 


Symbols 

Bold type denotes vector and matrix variables. A dot over a symbol indicates a derivative with 
respect to time. 


A 

B 

r 7 

c / 

D/ 

d(k) 

4(fc) 

d c (k) 

d e (k) 

d e (k) 

dout(^) 
dp (fc) 


g£ 

I 

J* 

K i(k) 
k 

l m 

M 


plant system matrix 
plant control input matrix 

system matrix for 7 sensors measuring parameter / 
plant state measurement matrix 

global upset decision that results from fusion of d c (fc), d e (k ), and d r {k) 

decision vector for control law calculations of processor i 

decision scalar for control law calculations that result from fusion of 
elements in d£(A;) 

decision vector for control correctness/effectiveness 

decision scalar for control correctness/effectiveness that results from fusion 
of elements in d e (k) 

decision vector for input selection process of processor i 

decision vector for output selection process of controller 

decision scalar for input/output redundancy management that results from 
fusion of elements in d- n (/c) and d ou t(fc) 

input-selection state transition matrix for parameter / of processor i 

control law calculation state transition matrix 

input matrix for control law calculation state vector of processor i 

control law calculation measurement matrix 

identity matrix 

input-selection state measurement matrix 

Kalman filter gain matrix for state estimate for control law 

discrete time variable 

output-selection state transition matrix for jth control law calculation 
output-selection measurement matrix 
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p 

p*(feljfe-l) 

pj(*lfc) 

Qc 

K 

4 (k) 

S f (k) 

S f (t) 

s](t) 

T 

u(t) 

v c( fc ) 

v f (k) 

V inW 

Vout(fc) 

V u (fc) 

W*(fc) 

wj(k) 

< f w 

Wout j (fc) 

w u (k) 

x p (0 

*£(*) 

x*(fc|fc-l) 

x*(fc|fc) 

Y? n W 

Yout (^) 

Y out (i) 

*&,(*) 

J/outj (&) 


actuator measurement matrix 

predicted error covariance matrix for estimate of control law calculation of 
processor i 

updated error covariance matrix for estimate of control law calculation of 
processor i 

covariance matrix for process noise of control law calculation of processor i 

covariance matrix for measurement noise of control law calculation of 
processor i 

residual vector of decision rule for detecting control law calculation errors 
in processor i 

discretized redundant plant sensor vectors for parameter / 
continuous redundant plant sensor vectors for parameter / 

7-redundant sensor measurement of plant parameter / 
actuator state transition matrix 
control input to plant from actuators 

measurement noise for control law calculation of processor i 

measurement noise for redundant sensors of plant parameter / 

measurement noise for selected input vector of processor i 

measurement noise for selected output vector of controller 

measurement noise for actuators 

process noise for control law calculation of processor i 

process noise for 7-redundant sensors measuring plant parameter / 

process noise for selection of input parameter / of processor i 
process noise for selection of control output parameter j 
process noise for actuators 
plant state vector 

control law calculation state vector of processor i 

predicted state estimate of control law calculation state vector of 
processor i 

updated state estimate of control law calculation state vector of processor i 

selected input vector for processor i 

selected control output vector of controller 

continuous form of selected control output vector 

selected value of input parameter / for processor i 

selected value of control law calculation j 

noise matrix for output selection process of controller 
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Special notation: 
H 0 C 

m 

m 3 

Hl c 
H 1* 

JT1*. 

In 

P(D0^|i71p 

P{H 0 Cj ) 

Pf< 3 

Prrit 

c j 

PFc 

PFl 

PM C 

PM l c 

R 

T 

e 

Pi, 

Subscripts: 

c 

e 

/ 

in 


process noise matrix for control law calculation of processor i 
selected-output vector compression matrix 

process noise matrix for 7 -redundant sensors of plant parameter / 
process noise matrix for actuators 
process noise matrix for plant 

noise matrix for input selection process of plant parameter / of processor i 
plant state measurement matrix 

hypothesis that control law calculation in controller is correct 
hypothesis that control law calculations of processor i are correct 
hypothesis that control law calculation j of processor i is correct 
hypothesis that calculation of control laws in controller is incorrect 
hypothesis that control law calculations of processor i are incorrect 
hypothesis that control law calculation j of processor i is incorrect 
natural logarithm 

probability of deciding that control law calculation j of processor i is 
correct given that it is incorrect 

probability of deciding that control law calculation j of processor i is 
incorrect given that it is correct 

a priori probability that hypothesis P0 l c . is correct for all processors 
probability of a false alarm for control law calculation j of processor i 
probability of a missed detection for control law calculation j of processor i 
probability of a false alarm for control law calculations of controller 
probability of a false alarm for control law calculations of processor i 
probability of a missed detection for control law calculations of controller 
probability of missed detection for control law calculations of processor i 
set of real numbers 
matrix transpose 
is an element of 

mean of innovations sequence for control law calculation j of processor i 

control law calculation variable 
command correct ness/effectiveness variable 
sensor variable for plant parameter / 
input variable 
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out 


output variable 
p plant variable 

r input/output redundancy management variable 

u actuator variable 

Subsubscripts: 

/ index for plant parameter 

j index for control law calculations 

Superscripts: 

i index for redundant processors 

m number of plant parameters being measured 

N dimension of actuator output state space 

n dimension of control law calculation state space 

p dimension of plant state space 

7 index for redundant sensors 


Sf 

number of redundant sensors measuring plant parameter / 


V 

dimension of control output space 

r 

a 

number of redundant processors 

11 

-1 

matrix inverse 

\ 

Abbreviations: 



A/D 

analog to digital 

= 

calc. 

calculation 

- 

cmd. 

command 


cntl. 

control 

j 

cond. 

conditioning 

? 

decis. 

decision 


effect. 

effectiveness 

- 

D/A 

digital to analog 


EM 

electromagnetic 


FDI 

failure detection and identification 

- 

HIRF 

high-intensity radiated fields 

M 

I/O 

input /output 

“ 

meas. 

measurement 

z 

mgt. 

management 

: 

NEMP 

nuclear electromagnetic pulse 

- 

/tPl, /iP 2 , ■ ■ H Per 

microprocessors 
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ROC Receiver Operating Characteristics 

redun. redundancy 

S/H sample and hold 

sig. signal 

Problem Formulation 

The fault-tolerant controller to be evaluated for upset susceptibility is interfaced in the laboratory 
to a simulation of the plant, redundant sensors, and actuators so that closed-loop dynamics are 
represented during testing. A block diagram of the laboratory setup is shown in figure 1. The 
controller with a processors (or microprocessors (pP), designated as to /xP CT ) is subjected to 
disturbances like those that can occur in an electromagnetically harsh environment. In the case of 
lightning, transient signals that would be induced on internal wiring are generated. In the case of 
HIRF, electromagnetic (EM) fields that could occur from radars or high-power radio transmitters 
are generated. The control system is dynamically monitored for upset in real-time testing. In the 
event of the occurrence of upset during testing, the detection methodology will provide a framework 
for diagnosis of the upset in the given digital controller. 



Figure 1 . Laboratory configuration for upset evaluation of digital controllers. 


Consider the block diagram shown in figure 2 of a given control system consisting of the plant, 
redundant sensors, actuators, and fault-tolerant control computer. Input/output conversions and 
signal conditioning between the plant and controller are represented by the indicated blocks. Input 
processing functions including analog-to-digital (A/D) conversion, frequency-to-digital conversion, 
surge suppressors for protection against high-level transient signals, and filters to reduce high- 
frequency noise have been represented by the A/D and signal conditioning block. Output processing 
functions such as signal conditioning and digital-to- analog (D/A) conversion are represented by the 
D/A and signal conditioning block. 

The given fault-tolerant controller is modeled to consist of three basic blocks. The input se- 
lection and redundancy management block performs rate and/or range checks of the data values 
and generates the input data vector for each of the microprocessors. The redundant microproces- 
sors calculate the control commands based on the input vector for each processor. Redundancy in 
the control computer protects against single- mode failure of components during normal operation. 
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Fault-tolerant controller 


Figure 2. Control system with redundant sensors and microprocessors. 

The output selection and redundancy management block performs rate and/or range checks on the 
calculated commands from each processor and determines via voting, or some other scheme, the 
command to be output from the controller for each control loop. 

The linear model in the following discussion is proposed for the given control system of figure 2. 
The number of redundant sensors for the measurement of the /th plant parameter is given as <5y, 
and the number of different plant measurements is given by vn. The number of redundant processors 
is designated by a. Each processor performs n calculations. The number of control outputs is 
given by r \ . The control action in the plant is effected by N actuator signals. In equations (1) 
through (6), state variables, sensor values, and input/output variables are designated by x, s, and y, 
respectively. Control inputs are designated by u. System noise processes are designated by w. 
Variable superscripts index replicates of redundant system elements. Subscripts characterize the 
variables, and subsubscripts index elements of vector variables. Bold type denotes vector and matrix 
variables. 

In the linear model the plant state vector is given as 

x p (t) = A Xp(<) + Bu(f) -f (f>w p (t) (x p (£) € R p ) ( 1 ) 

with sensors 

r iT 

s f(t)= s}(t) s){t ) ... S s /(t) (s f (t) e r 6 s) 

w r here 

s](t) = CJ Xp(t) + £} wj(t) (7 = 1,2, .... Sf,f = 1,2, m\sj(t) £ i?) (2) 

For input selection and redundancy management, 

Y inW = bim (*) yl 2 (k) • • • yfnJk)} T (Y f n (k) e R m ) 

with 

yL f (k) - E ){k) S f(k) + ip) wf n/ (fc) (* = 1, 2, . . . , <t; y\ nf {k) € R; S f (k) E R S f ) ( 3 ) 

where 

S/(*) = [«}(*) «/(*) ... s 6 f f (k)] T (f = 1,2, m) 

For control law calculations of redundant controllers, 

x' (k + 1 ) = F* x*(fc) + Gi Yl n (k) + <C w*(fc) (* = 1,2, <r;xi(k)eR n ) (4) 
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where 


m = [x^k) xi 2 (k) . . . 4 (fc)] r (x[.(k) e r ) 


where 


For output processing and redundancy management, 

Y out (fc) = A[j/outi(fc) yout 2 (fc) ■ ■ ■ yo»uM T ( Y out (k) e R v = +1) 

youtj (k) = L j{k) x Cj (fc) + Tj wout, (fc) O' = 1. 2 . ■ ■ ■ . n '- (*) G i?) 

x c ; = (4( fc ) x c/ fc ) • • • x c J (k)} T (x Cj (fc) G R a ) 

For the actuators, 

u(f) = T Y out (0 + P W u (t) (u (t) e R N ) 

where 


Y O ut(0 — [^OUt](^) ^OUt 2 (0 ••• ^OUtq(i)] 


(Y out (0 G R*) 


( 5 ) 


( 6 ) 


Equations (l)-(6) represent a hybrid model of continuous-time and discrete-time components. 
Equation (1) is the continuous-time state equation for the plant. Matrix A is the plant system 
matrix, u (t) is the control input, and w p (t) reflects noise and/or modeling errors. Equation (2) is 
the continuous-time sensor model for the redundant sensors with w l Sf (t) representing the sensor noise. 
Equation (3) is the discrete- time model for the selection and management of redundant sensor inputs 
S Pf (k) for the /th plant parameter measurement with the noise term w \ nf (k) representing modeling 

error. Matrix E^(fc) is time varying to represent selection, rejection, voting, or fusion of redundant 
sensor measurements. If the given system has an input data selection process without data fusion, 
the elements of Ey (fc) will be 0 or 1 and may be based on heuristics, such as the result of range and/or 
rate checks on the sensor measurements. In systems that fuse sensor measurements into a single 
value, matrix E ^(k) would represent the input data fusion process. Equation (4) is the discrete- 

time state equation for the calculation vector of the ith processor, and matrix F*. is the transition 
matrix. Matrix G* is the measurement matrix for measurement vector Y\ n (k) of the ith processor. 
Term w£(fc) reflects noise and/or modeling errors associated with the calculation vector from the 
ith processor. Equation (5) is the discrete-time model for the selection and management of the 
redundant calculations with modeling error accounted for in the noise term w ou t Matrix L j(k) 
is time varying to represent selection or fusion of calculations for the output youtj(^) °f the Jth 
calculation during operation of the system. If the given system has a voting strategy for calculations, 
the elements of L j(k) will be 0 or 1 and may be based on heuristics associated with the voting 
strategy. In systems that combine calculations into one output, L j(k) would represent the calculation 
fusion process. Vector Y ou t(&) represents the output control calculations. Matrix A collapses the 
calculation vector into the output command vector. Equation (6) is the continuous-time actuator 
model. The actuators receive the command vector Y ou t (t) and affect the dynamics of the plant via 
u (t). The term w u (t) reflects noise and/or modeling errors. 

Monitoring Strategy for Fault-Tolerant Control System 

In order to detect redundancy management errors, control calculation errors, and control ef- 
fectiveness errors in the fault-tolerant controller, measurements of the control system of figure 2 


9 


Fault-tolerant controller 



must be taken by the monitor. These measurements are indicated in figure 3, and their equations 
are presented as follows. 

The measurement of the plant state is given by 


z p (k) = x p (k) + Vp(fc) 
The measurement of sensor outputs is given by 

(z p(Jfe) e R p ) 

(7) 

z f (k) ~D f Sj-(k) + v f (k) (/ = 

The measurement of input vectors is given by 

1,2, ..., m;z f (k) £ R 6 f) 

(8) 

zf n (k) = r Yi n (k) + vf n (k) 

The measurement of calculated commands is given by 

(4n(k) e R m ) 

(9) 

zi(k) = Hi4(k)+vi(k) ( j = 

The measurement of the output command vector is given by 

1,2, .... n;z* c (k) e R n ) 

(10) 

Zout(^-) = YoutW Vout(^) 

and the measurement of the actuator is given by 

(zout(^) £ RP) 

(11) 

z u (k) = P u (k) + v u (A) 

(z u{k) £ R N ) 

(12) 


In equations (7)-(12), Dy, 3\ H*, M, and P are the measurement matrices. The terms 

v pWj v /(fc); v i n Wi v*(fc), v 0Ut (A;), and v u (k) represent measurement noise. All noise processes in 
equations (1)- (12) are assumed to be independent, white, and Gaussian. 
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The fault-tolerant control computer is monitored for errors in redundancy management and 
control command calculations, as well as for command correctness/cffectiveness given the dynamic 
mode of the plant. In the context of this mathematical formulation, upset is defined as a change in 
any of the matrices E^-(fc) of equation (3), F/ and G£. of equation (4), and Lj(fc) of equation (5) 
that causes a reduction in effectiveness and/or reliability of the control system. A concept for upset 
detection in digital control computers is presented in figure 4. The upset detection strategy has 
three modules to monitor for input /output redundancy management errors, control law calculation 
errors, and control command errors. The distinction between these last two types of errors should 
be noted. Control calculation errors result when basic mathematical operations are performed 
incorrectly by the processor. Control command errors result when incorrect input parameters are 
used in calculations or when rate/range checks are performed incorrectly on the calculated result. 
A basic description of the three modules is given, but the paper focuses on the detection of control 
law calculation errors. 



Figure 4. Upset detection concept for digital control systems. 


Redundancy management processes in the control computer to be monitored are the input- 
parameter selection process, the output-command selection process, and the management of redun- 
dant resources. An example of a redundancy management error is the computer deciding that one of 
the redundant sensors is faulty and ignoring its measurements when, in fact, it is operating correctly. 
Since eliminating an unfaulted sensor reduces the redundancy and overall reliability of the system, 
this redundancy management error would constitute an upset. The redundancy management moni- 
tor detects incorrect changes in the matrices E^(fc) and L j(k) of equations (3) and (5), respectively. 
Elements of these matrices are compared with the input/output selection codes of the controller to 
determine if the controller has eliminated resources that are not faulty. Input /output selection codes 
are binary words that are generated by the controller to reflect the choices made by the input /output 
selection logic. 

Inputs to the input selection error detection portion of this monitor are measurements of the 
sensor outputs (z /(h)) and measurements of the selected input vector for each channel (z[ n (Ar)). If 
an error is not detected in the input selection process, then each decision variable in the vector d \ n (k) 
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will maintain its nominal value of -1. If an error is detected in the input selection process, 
the corresponding element value of d \ n (k) becomes unity. Inputs to the output selection error 
detection part of this monitor are measurements of the calculated control commands (z l c (k)) and 
the selected output commands (z ou t (&)). If an error is not detected in the output selection process, 
the decision variables in the vector d ou t {k) will maintain a nominal value of “1. If an error is 
detected in the output selection process, the appropriate element value of d ou t(A;) becomes unity. 
Individual decisions in d- n (fc) and d ou t(fc) are combined or fused into a decision scalar for redundancy 
management errors ( d r (k )). 

The control law calculations of each processor are also monitored for errors. This monitoring is 
done dynamically as the calculations are made. Changes in the matrices F l c and G* of equation (4) 
are detected by monitoring for errors in the calculated control commands. Inputs to the control law 
calculation error detector are measurements of the selected input vector for each channel (z- n (fc)) and 
the calculation vector of each channel (zj.(/c)). Individual decisions (dj,(fc)) are made for the control 
law calculations of each processor, and these decisions are fused into a scalar error decision ( d c {k )) 
for the control law calculations of the controller. 

Analytical redundancy of the control laws provides a reference of the correct control command 
for the given dynamic mode of the plant. Inputs to the analytical model of the control laws are 
measurements of the plant state (z p (k)). This analytical reference and the actuator measurement 
z u (k)) are used in a decision process to determine if the calculated command output vector (Y ou t(&)) 
is correct and is, therefore, effective in regulating the plant under a given dynamic situation. It should 
be noted that this is not an evaluation of the control law design. The control laws are assumed to be 
designed appropriately, to be validated prior to this assessment of the controller, and to be effective 
in controlling the plant. Any lack of effectiveness in the control commands that are output by the 
controller during this assessment will, therefore, be the result of incorrectness of the commands 
that could be attributed to incorrectly selected input values or faulty rate/range checks. Thus, 
considerations such as range and rate limitations of the actuators will be inherent in this evaluation 
of the effectiveness of the control output. If an error in the control command is not detected, each 
of the decision variables in the vector d e (k) will maintain its nominal value of —1. If an error in 
control correctness is detected, the appropriate value of d e (A:) becomes unity. Individual control 
error decisions are made for each control loop, and these decisions are combined or fused into one 
scalar error decision ( d e (k )) for the correctness/effectivencss of the control output vector. 

The decisions corresponding to redundancy management errors, control law calculation errors, 
and control correctness/effectiveness errors are fused into one global upset decision ( d(k )), which 
has a nominal value of —1 and a value of unity for the upset decision. This global fusion process 
may be a logical OR rule, or it may provide weightings corresponding to the relative costs of the 
three error processes. In tests during which upset occurs and is signaled by the unity value of d(fc), 
the redundancy management error decisions d \ n (k) and d ou t(fc), the control law calculation error 
decisions dj.(fc), and the control correctness/effectiveness error decisions d c (k) are all stored in the 
monitor as a diagnostic aid for posttesting data analysis. A strategy for monitoring the control 
computer for erroneous control law calculations is now presented. 

Monitor for Control Law Calculation Error 

The approach for monitoring control law calculation errors in a controller with a single processor 
is shown in figure 5. Since the controller has a single processor, the redundancy index i is unity. The 
control law calculations are represented as a linear or linearized recursive state equation with state 
vector x*(fc). A Kalman filter is used to generate the estimate vector x*(fc) of the correct state for 
the calculations based on measurements z \ n (k) of the selected input vector and measurements z l c (k) 
of the control law calculation state vector. The estimate x£.(fc) is compared with the measurement 
z l c (k) of the calculation vector to generate a residual vector r l c {k). A statistical decision rule is then 
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Figure 5. Strategy for monitoring control law calculation errors in digital controllers with a single processor. 


applied to each element of the residual vector, and a decision d l c {k) is made regarding the correctness 
of the calculations, given the selected input vector. Decisions for the individual calculations are then 
fused into a single decision ( d l c {k )) for the correctness of the calculations. 

The approach shown in figure 5 is readily extended to dynamically monitor processor calculations 
in redundant systems and is illustrated in figure 6. The global decision d c (k) on whether calculation 
errors have occurred is based on the fusion of the scalar calculation-error decisions d l c (k) for 
c 7 processors. The scalar calculation-error decision d l c (k) for each processor is generated by the 
process described in figure 5. Previous work (ref. 4) compared two distributed detection strategies, 
each using a different type of data fusion. One strategy involved a single global decision based on the 
fusion of local estimates, and the other strategy involved the fusion of local decisions into a single 
global decision. The performance of a statistical decision process is determined by the Receiver 
Operating Characteristics (ROC) curve which is a plot of the probability of detection versus the 
probability of false alarm, with the decision threshold as the varying parameter. The ROC curve 
of the strategy with decision fusion was shown to be more desirable for two cases. Therefore, the 
strategy of figure 6 uses fusion of local decisions. In order to illustrate the strategy for dynamically 
monitoring the calculations of redundant processors, a simple example is presented. 
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Figure 6. Strategy for monitoring control law calculation errors in digital controllers with redundant processors. 
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Example for Quad-Redundant Processor 

Consider a system of four redundant processing channels. Let the model of the calculations to be 
made by the four channels be given by third-order linear recursive equations. Thus, for a processor 
calculation we have 


x»(fc + l) = F* x l c (fc) + G* Yi(k) + C w*(fc) (i = l,2, 3, 4) (13) 

with a measurement 

zi(k) = Hi x*(fc) + v*(*) (i = 1,2, 3, 4) (14) 

where 
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The above matrices have no physical significance and were selected to ensure stability and observabil- 
ity. The calculations from the ith processor are represented by state vector x*(fc); the corresponding 
state transition matrix is given by F*. The input to each channel is Y* n (Ar) with input matrix G*. 
The form of the input Y f n (k) is 


Y| n (A:) = [^i Ui (A:)] = [sin(2.4fc) cos(2.4/c) sin(1.4fc) cos(1.4fc)] (i = 1,2,3, 4) 


The process noise for each channel is represented by zero-mean white Gaussian noise w® (A:) and noise 
matrix £®(fc). The measurement matrix for each channel is H®, and the zero-mean white Gaussian 
measurement noise is v®(fc). The assumption is made that w l c {k) and v®(fc) are independent with 
covariances Q* and R* , respectively. For this example, 



-0.5 

0 

o - 


-0.7 

0 

o - 

Qiw = 

0 

0.5 

0 

K(*) = 

0 

0.7 

0 


. 0 

0 

0.5. 


. 0 

0 

0.7. 


i 

i 

i 

! 


After 10 iterations in the simulation of the calculation process, a perturbation occurs such that the 
matrix F® for each channel is changed to the transpose [F®] T , thus yielding an incorrect calculation. 
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Detecting that a perturbation has occurred using Kalman filtering, statistical decision theory, and 
data fusion is desired. 

The Kalman filters are implemented in Prediction-Correction Form (ref. 5) and estimate the 


calculated command vector of each processor. Thus, for a predicted state estimate, 

x*(fc|fc-l) = F£(fc) x c (fc — l|fc — 1) + G*(fc) z- n (fc) (15) 

the predicted error covariance is 

P*(fc|fc-1) = F i c (k)P i c (k-l\k-l) [F i c (k)] T + C(k) Ql(k) \C(k)} T (16) 

The filter gain is 

k i(k) = pi(kjk-i) iHi(k)] T {Hi(k ) pi(kjk-i) [ni(k)\ T +p i c (k )}~ 1 ( 17 ) 

For the updated state estimate, 

x^|Jb)=x*(fc|fc-l) + K*(fc)[z l c (fc) -Hj(fc)x*(fc|fc-1)] (18) 

the updated error covariance is 

p *(*i*) = [i - k i(k) Him pi(k\k-i) (i9) 


The state estimation errors for each of the four Kalman filters are shown in figure 7. Note that once 
the Kalman filters have reached steady state, the estimation errors are 0 until the state transition 
matrices are changed at 10 iterations. 


*1 

x 2 

*3 





Figure 7. State estimation errors for the four Kalman filters of the example. 


15 


The residual for each channel is the absolute value of the innovations sequence, which is the 
bracketed term in equation (18). Thus, the residual vector is given by 

r c(*0 = Kj] = K(k) - H*(/c) x l c (k\k - 1)1 (j = 1,2,3) (20) 


The innovations sequence is a white random sequence whose mean (//*) is 0 if the calculations are 
correct. A Bayesian decision rule (ref. 6) will be used in this example for each calculation of each 
channel. The hypotheses for the decision rule for the jth calculation of the ith processor are given 
by 

HI l c . : r l c .{k) = ji* + v l c .{k) — * Incorrect calculation 

H0 l c . : T l c .{k) = v l c .{k) — > Correct calculation 

For this example, the a priori probabilities for these hypotheses are 0.5. The decision rule for the 
Gaussian case assuming unity variance is given by 


(Mean = p, l Cj / 0) 
(Mean = fx l c . = 0) 


( 21 ) 
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( 22 ) 


The left-hand side of equation (22) is the residual given in equation (20), and the right-hand side 
of equation (22) is the threshold for the decision process. The threshold is dependent on the mean 
of the residual, the a priori probabilities of the hypotheses given in equations (21), and the costs 
associated with the decision process. The term Ca[3 Cj is the cost of deciding, for the jth calculation, 
that a is true when (3 is actually true. If the residual is less than the threshold, then hypothesis 
H 0 l c . of equations (21) is accepted and the calculation is considered correct. Otherwise, hypothesis 

HI * is accepted and the calculation is considered incorrect. For this example, the costs of making 
a correct decision (i.e., a = 0) are all 0, and the costs of making an incorrect decision (i.e., a ^ 0) 
are all 0.5. The performance of the Bayesian detectors for each channel, in terms of the probability 
of false alarm and the probability of miss, is given, respectively, by 


and 


Pfal = P(Dllm 
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-(<)*/ 2 , i 

e J ar n 
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(24) 


For this example, the residuals are the innovations sequence defined in equation (20), and the 
means p l c . are unity. The integral limit is defined to be the threshold given as the right-hand 
side of equation (22). 


The error decisions for the three calculations of the state vector from processor 1 are shown in 
figure 8. In these plots, a value of 0 means that the decision process had not yet begun because 
the Kalman filters were being initialized. A value of —1 indicates that the calculation is correct, 
and a value of +1 indicates that the calculation is incorrect. For each calculation, all residuals 
were larger than the thresholds after 10 iterations, and thus the three calculations were considered 
incorrect. This decision is reflected in each of the three plots by the transition from -1 to +1. The 
error decision plots for the calculations of processors 2, 3, and 4 are analogous to figure 8. The 
probabilities of a missed detection and false alarm for the local decisions of each processor are 0.3083 
and 0.0665, respectively. 
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Figure 8. Error decisions for each calculation of the state vector from processor 1. 

The fusion hypotheses for each processor are given by 

H\ l c : Incorrect command calculations of ith processor 

HO l c : Correct command calculations of ith processor 

The a priori probabilities for these hypotheses are 0.5 for this example. The fusion rule (ref. 7) for 
the local decisions from each processor is given by 


m) = fK 3 m = { 


h i* (4 + ^ 4 4 3 (k) > o) 

3 = 1 

H0\ (otherwise) J 


(25) 


where 
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The optimal fusion rule of reference 7 shown in equation (25) is a weighted sum of the local 
decisions for each processor. The weights are based on the performance of the local detectors. 
The performance of this fusion process for each processor, assuming equal local noise covariances, 
wets given in reference 4 to be 


PF Z C = ^2 ( 3 ) ( p f a lYi 1 - p f a cf 3 u i A c + fl c( 2 i - 3 )] 
j= 0 ' 


(26) 
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where 
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(27) 
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pmi = Y, 

. 7=0 


(1 - Pmiy(Pmi) 3 -i u[At + 4(3 - 2j)} 


4 O’ = ]n Pim , 3 1n Pm»(l-Pm«) , _ 3 

P(/70^) + 2 Pf4(l-Pf4) c 2 

with 

ti[-] = Unit step function Pm l c = Pm l Cl = Pm l C2 = Pfa l c = P/a^ = Pfa l C2 = Pfa l c ^ 

The fused error decision for the calculations of processor 1 is shown in figure 9. Note that figure 9 
shows the plot of the error decision that results from the fusion of the three error decisions for 
the calculations of processor 1, as shown in figure 8. The fused error decision of figure 9 indicates 
the decision that the calculations of processor 1 are incorrect after iteration 10. The fused error 
decisions for the calculations of processors 2-4 were essentially identical to those of processor 1 
shown in figure 9. The probabilities of a missed detection and false alarm for the fused decisions of 
each processor are 0.2265 and 0.0127, respectively. 
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Figure 9. Fused error decision for local error decisions for processor 1. 
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The hypotheses for the fused decision process for global command calculations are given by 


H l c : Incorrect calculation 
H0 C : Correct calculation 


( 28 ) 
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For this example, the a priori probabilities for these hypotheses are 0.5. The fused decision process 
for global command calculations is given by the same algorithm of reference 7 and is 


where 
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The performance of this global fusion process is given by 

4 


(otherwise) J 

1 “ PK * L (4W = i) 


(di(k) = -i) 


PF c = Y, \ i) Wd - PF l c y- 1 u{A" + a c (2i - 4)] 
i= 1 


(29) 


(30) 


4 


PMc = £ 
1=1 



(1 - PM l c y{PM l c ) 4 ~ l u[A° c + a c (4 - 2i)] 


(31) 


where 


A 


0 

c 


In 


Piffle) 

P(ff 0c) 


+ 2 In 


PM C ( 1 - PM C ) 
PF C ( 1 - PF C ) 


— 2 


In 


(1 - PM C ) 

PF C 


+ In 


(1 ~ PFc) 

PMc 


with 

lt[-] = Unit step function PM C = P = P = P Af^ = P PF C — PF C = PF C = PF C PF C 


The global error decision that results from the fusion of the error decisions for processors 1-4 is 
shown in figure 10. The plot indicates that after 10 iterations, calculations made by the four-channel 
system are considered incorrect. The global probabilities of a missed detection and false alarm are 
0.2228 and 0.000948, respectively. 
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Figure 10. Global error decision for calculations in a four-channel system. 
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Concluding Remarks 

A strategy has been presented for dynamically monitoring digital controllers in the laboratory 
for susceptibility to electromagnetic disturbances. In particular, this paper discusses the use of 
Kalman filtering, data fusion, and decision theory in monitoring a given digital controller for control 
calculation errors. In this strategy, the control laws calculated in the digital controller were modeled 
as linear (or linearized) recursive state equations. This model was used in the design of Kalman filters 
that estimate the correct control calculations. The estimates of the correct control calculations were 
compared with the calculations obtained by the control computer. Residuals were then generated 
and used in probabilistic decision rules to determine if the calculations performed by the control 
unit were faulty. A decision was made for the command calculation of each control loop and these 
local decisions were weighted and fused into an integrity decision for control calculations by using 
an optimal fusion rule. 

An example of this process was presented which can be used as a baseline design for future work. 
Future work includes an analysis of the baseline design for detection sensitivity to changes in matrix 
parameter values. Designs of the statistical decision rules, data fusion algorithms, and Kalman filter 
gains can be performed to optimize trade-offs such as sensitivity and diagnostic capability versus 
complexity, reliable detection without false alarms, and sensitivity to erroneous parameter changes 
with robustness to modeling errors. 
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